dridex | a207eff9085223b41efa50e8c5212159b2f546e2ca348cbecb014a29460b3cbd

General

Target

a207eff9085223b41efa50e8c5212159b2f546e2ca348cbecb014a29460b3cbd.dll
Size

848KB
MD5

981cdedd76e4b8ca77fd40a4caf72463
SHA1

10570f977b5af392293fbc3f9d7174ada4f5ad20
SHA256

a207eff9085223b41efa50e8c5212159b2f546e2ca348cbecb014a29460b3cbd
SHA512

2ee0cc26858ca7ef05c6ce087a404875d8199b0c8454ea22cad301d9aad6e7bc9cc1e3996538cb5ce731ae7541cc4c7efa781342bf79567e1210626957881dc9
SSDEEP

12288:rZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:rZK6F7nVeRmDFJivohZFV

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1244-5-0x0000000002BC0000-0x0000000002BC1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wusa.exedpapimig.exemfpmp.exe

pid process

2484 wusa.exe
588 dpapimig.exe
2892 mfpmp.exe
Loads dropped DLL 7 IoCs

Processes:

wusa.exedpapimig.exemfpmp.exe

pid process

1244
2484 wusa.exe
1244
588 dpapimig.exe
1244
2892 mfpmp.exe
1244

pid	process
2484	wusa.exe
588	dpapimig.exe
2892	mfpmp.exe

pid	process
1244
2484	wusa.exe
1244
588	dpapimig.exe
1244
2892	mfpmp.exe
1244

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dwddifi = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\708O\\dpapimig.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewusa.exedpapimig.exemfpmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewusa.exedpapimig.exe

pid	process
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
2484	wusa.exe
2484	wusa.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
588	dpapimig.exe
588	dpapimig.exe
1244
1244
1244

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1244 wrote to memory of 2592	1244	wusa.exe
PID 1244 wrote to memory of 2592	1244	wusa.exe
PID 1244 wrote to memory of 2592	1244	wusa.exe
PID 1244 wrote to memory of 2484	1244	wusa.exe
PID 1244 wrote to memory of 2484	1244	wusa.exe
PID 1244 wrote to memory of 2484	1244	wusa.exe
PID 1244 wrote to memory of 1868	1244	dpapimig.exe
PID 1244 wrote to memory of 1868	1244	dpapimig.exe
PID 1244 wrote to memory of 1868	1244	dpapimig.exe
PID 1244 wrote to memory of 588	1244	dpapimig.exe
PID 1244 wrote to memory of 588	1244	dpapimig.exe
PID 1244 wrote to memory of 588	1244	dpapimig.exe
PID 1244 wrote to memory of 2844	1244	mfpmp.exe
PID 1244 wrote to memory of 2844	1244	mfpmp.exe
PID 1244 wrote to memory of 2844	1244	mfpmp.exe
PID 1244 wrote to memory of 2892	1244	mfpmp.exe
PID 1244 wrote to memory of 2892	1244	mfpmp.exe
PID 1244 wrote to memory of 2892	1244	mfpmp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a207eff9085223b41efa50e8c5212159b2f546e2ca348cbecb014a29460b3cbd.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:2592

C:\Users\Admin\AppData\Local\zCphRcOR\wusa.exe
C:\Users\Admin\AppData\Local\zCphRcOR\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:1868

C:\Users\Admin\AppData\Local\wEaC\dpapimig.exe
C:\Users\Admin\AppData\Local\wEaC\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:2844

C:\Users\Admin\AppData\Local\h8mGcLCTS\mfpmp.exe
C:\Users\Admin\AppData\Local\h8mGcLCTS\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2892

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\h8mGcLCTS\MFPlat.DLL
Filesize
856KB

MD5
c3f5111a4b743da67a95c85760fbe949

SHA1
5f269415fec0401edffc22ac381242f05b7656c0

SHA256
7beea8c07aed213a7d4f8cd4781d3902a7b091dc7cd4721b40503163b9941b23

SHA512
2a01e76c165d69f55e33865784de063933f156fa2e57ece963d9ae78a39069f1d92740e6d1460084617288ae13a92ebdbb1fca5866ab8e2392212c6fa6112754

Download Submit
C:\Users\Admin\AppData\Local\wEaC\DUI70.dll
Filesize
1.0MB

MD5
d5146bdcba5273f8692ce04cafc71478

SHA1
a51acf6ae135614ac4d0493bd34ee9167720655e

SHA256
b47ac15e30c743a5bd1ae7f663ecda8400bf4fc058dc0557bcae77a9bfaaa260

SHA512
29dad80723a5653cbf137d5a8d848ff6e23b6770ee1b289a2e60bf9becf3534453abaede2b82e2979e5f51875cbc74f86fdb276d252b7828fb4233a16d3b733e

Download Submit
C:\Users\Admin\AppData\Local\zCphRcOR\WTSAPI32.dll
Filesize
852KB

MD5
b909674ff7cd2762c5b67b3f428797d6

SHA1
f7cbfb3cbce0f88af9a6b1164ced5829a2a82e86

SHA256
e08f00e0f0fc20ed88d60879605a02a9bf42ab4968686c6aff7090c7e53274d3

SHA512
b67d4bde36a35470d092d45d8e0c0032230abd5ec31f9a6cb638e4f6b950919a655184b937d5a4b67dae11358890472c9499762ad22d22a20e1c304cdc262193

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Bxxouhrcnfnreok.lnk
Filesize
1KB

MD5
8ec6196faa4e5b324c2e14985c9626e1

SHA1
edacca1fb25614540721d30787b9ccd7487c0f79

SHA256
e89734ede521cad61aabb1dde70df006dcbd92659317047ccd333cf2616f5bc0

SHA512
f6a555e42ff82cf21ed33409039d5a37e88bbdd70812021f80083cdce15d0901a364e3f1b592a7075d8ab75f4faded63c9414e6f969f6968e674a578a5001e10

Download Submit
\Users\Admin\AppData\Local\h8mGcLCTS\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
\Users\Admin\AppData\Local\wEaC\dpapimig.exe
Filesize
73KB

MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
\Users\Admin\AppData\Local\zCphRcOR\wusa.exe
Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
memory/588-84-0x000007FEF65D0000-0x000007FEF66D8000-memory.dmp

Filesize
1.0MB

Download
memory/588-79-0x000007FEF65D0000-0x000007FEF66D8000-memory.dmp

Filesize
1.0MB

Download
memory/1244-23-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-35-0x0000000077771000-0x0000000077772000-memory.dmp

Filesize
4KB

Download
memory/1244-13-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-12-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-11-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-20-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-21-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-19-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-18-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-17-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-22-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-25-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-24-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-98-0x0000000077666000-0x0000000077667000-memory.dmp

Filesize
4KB

Download
memory/1244-26-0x0000000002B30000-0x0000000002B37000-memory.dmp

Filesize
28KB

Download
memory/1244-27-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-28-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-34-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-38-0x00000000778D0000-0x00000000778D2000-memory.dmp

Filesize
8KB

Download
memory/1244-14-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-41-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-45-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-16-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-15-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-4-0x0000000077666000-0x0000000077667000-memory.dmp

Filesize
4KB

Download
memory/1244-5-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/1244-10-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-7-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1244-9-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/1376-8-0x000007FEF6600000-0x000007FEF66D4000-memory.dmp

Filesize
848KB

Download
memory/1376-1-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1376-0-0x000007FEF6600000-0x000007FEF66D4000-memory.dmp

Filesize
848KB

Download
memory/2484-65-0x000007FEF6DC0000-0x000007FEF6E95000-memory.dmp

Filesize
852KB

Download
memory/2484-59-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/2484-60-0x000007FEF6DC0000-0x000007FEF6E95000-memory.dmp

Filesize
852KB

Download
memory/2892-96-0x000007FEF6200000-0x000007FEF62D6000-memory.dmp

Filesize
856KB

Download
memory/2892-102-0x000007FEF6200000-0x000007FEF62D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads